On Tuesday, the Department of Health and Human Services issued a proposed rule to modify the Health Insurance Portability and Accountability Act's (HIPAA) privacy rule standard for accounting of disclosures of protected health information. Under the proposal, patients could request an access report that would document the particular entities who electronically accessed and viewed their protected health information. Although covered entities that currently required by the HIPAA security rule to track access to electronic protected health information, they are not required to share this information with patients.

The purpose of these modifications is, in part, to implement the statutory requirement under the Health Information Technology for Economic and Clinical Health (HITECH) Act that requires covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.